file fragment analysis

[Svein Yngvar Willassen <[EMAIL PROTECTED]>]

Hello folks!

While I was working with a case today, I stumbled across a large amount of
binary material in unallocated space, which I am unable to identify. The
material did not contain any specific words or other signatures that would
enble me to see what kind of file it originally had been. While this is
not important in this particular case, it struck me that it should be
possible to produce new ways of identifying file types, based on content
rather than on header/footer signature.

One could for example build a frequency signature by counting the number
of each byte in the data. Such a signature could be extended by
frequencies of digraphs (2-byte combinations), trigraphs etc. When the
proper way of building a signature has been found, one could build a
database of signatures of all known file types, much like the signatures
in /etc/magic in UNIX-systems.

One would now be able to identify a file type just from a fragment, like
in the situation above. I believe this would be of great value for
computer forensic investigators.

Have anyone heard of research along these lines, or perhaps even a tool to
do this?

--
Svein Y. Willassen, M.Sc
investigation manager, computer forensics, Ibas AS



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com